Jump to content
akkiliON

Apache Warns of Zero-Day Exploit in the Wild — Patch Your Web Servers Now!

Recommended Posts

  • Active Members
AVvXsEhEkcOGiJJuzgX9o2QOgh1B0OLk6DfE0vDf
 

Apache has issued patches to address two security vulnerabilities, including a path traversal and file disclosure flaw in its HTTP server that it said is being actively exploited in the wild.

 

"A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the expected document root," the open-source project maintainers noted in an advisory published Tuesday.

 

"If files outside of the document root are not protected by 'require all denied' these requests can succeed. Additionally this flaw could leak the source of interpreted files like CGI scripts."

 

The flaw, tracked as CVE-2021-41773, affects only Apache HTTP server version 2.4.49. Ash Daulton and cPanel Security Team have been credited with discovering and reporting the issue on September 29, 2021.

 

AVvXsEhq-ZFbYe4ogfL29916B-XMCS8Azo_AXSQR
Source: PT SWARM

 

 

Also resolved by Apache is a null pointer dereference vulnerability observed during processing HTTP/2 requests (CVE-2021-41524), thus allowing an adversary to perform a denial-of-service (DoS) attack on the server. The non-profit corporation said the weakness was introduced in version 2.4.49.

 

Apache users are highly recommended to patch as soon as possible to contain the path traversal vulnerability and mitigate any risk associated with active exploitation of the flaw.

 

 
Found this article interesting? Follow THN on FacebookTwitter  and LinkedIn to read more exclusive content we post.
 

https://securityaffairs.co/wordpress/122999/hacking/apache-zero-day-flaw.html

  • Like 1
  • Upvote 3
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...